1 /* $OpenBSD: t1_lib.c,v 1.195 2022/08/17 18:45:25 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "bytestring.h"
120 #include "ssl_locl.h"
121 #include "ssl_sigalgs.h"
122 #include "ssl_tlsext.h"
123
124 static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert,
125 SSL_SESSION **psess);
126
127 int
tls1_new(SSL * s)128 tls1_new(SSL *s)
129 {
130 if (!ssl3_new(s))
131 return (0);
132 s->method->ssl_clear(s);
133 return (1);
134 }
135
136 void
tls1_free(SSL * s)137 tls1_free(SSL *s)
138 {
139 if (s == NULL)
140 return;
141
142 free(s->internal->tlsext_session_ticket);
143 ssl3_free(s);
144 }
145
146 void
tls1_clear(SSL * s)147 tls1_clear(SSL *s)
148 {
149 ssl3_clear(s);
150 s->version = s->method->version;
151 }
152
153 struct supported_group {
154 int nid;
155 int bits;
156 };
157
158 /*
159 * Supported groups (formerly known as named curves)
160 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
161 */
162 static const struct supported_group nid_list[] = {
163 [1] = {
164 .nid = NID_sect163k1,
165 .bits = 80,
166 },
167 [2] = {
168 .nid = NID_sect163r1,
169 .bits = 80,
170 },
171 [3] = {
172 .nid = NID_sect163r2,
173 .bits = 80,
174 },
175 [4] = {
176 .nid = NID_sect193r1,
177 .bits = 80,
178 },
179 [5] = {
180 .nid = NID_sect193r2,
181 .bits = 80,
182 },
183 [6] = {
184 .nid = NID_sect233k1,
185 .bits = 112,
186 },
187 [7] = {
188 .nid = NID_sect233r1,
189 .bits = 112,
190 },
191 [8] = {
192 .nid = NID_sect239k1,
193 .bits = 112,
194 },
195 [9] = {
196 .nid = NID_sect283k1,
197 .bits = 128,
198 },
199 [10] = {
200 .nid = NID_sect283r1,
201 .bits = 128,
202 },
203 [11] = {
204 .nid = NID_sect409k1,
205 .bits = 192,
206 },
207 [12] = {
208 .nid = NID_sect409r1,
209 .bits = 192,
210 },
211 [13] = {
212 .nid = NID_sect571k1,
213 .bits = 256,
214 },
215 [14] = {
216 .nid = NID_sect571r1,
217 .bits = 256,
218 },
219 [15] = {
220 .nid = NID_secp160k1,
221 .bits = 80,
222 },
223 [16] = {
224 .nid = NID_secp160r1,
225 .bits = 80,
226 },
227 [17] = {
228 .nid = NID_secp160r2,
229 .bits = 80,
230 },
231 [18] = {
232 .nid = NID_secp192k1,
233 .bits = 80,
234 },
235 [19] = {
236 .nid = NID_X9_62_prime192v1, /* aka secp192r1 */
237 .bits = 80,
238 },
239 [20] = {
240 .nid = NID_secp224k1,
241 .bits = 112,
242 },
243 [21] = {
244 .nid = NID_secp224r1,
245 .bits = 112,
246 },
247 [22] = {
248 .nid = NID_secp256k1,
249 .bits = 128,
250 },
251 [23] = {
252 .nid = NID_X9_62_prime256v1, /* aka secp256r1 */
253 .bits = 128,
254 },
255 [24] = {
256 .nid = NID_secp384r1,
257 .bits = 192,
258 },
259 [25] = {
260 .nid = NID_secp521r1,
261 .bits = 256,
262 },
263 [26] = {
264 .nid = NID_brainpoolP256r1,
265 .bits = 128,
266 },
267 [27] = {
268 .nid = NID_brainpoolP384r1,
269 .bits = 192,
270 },
271 [28] = {
272 .nid = NID_brainpoolP512r1,
273 .bits = 256,
274 },
275 [29] = {
276 .nid = NID_X25519,
277 .bits = 128,
278 },
279 };
280
281 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
282
283 #if 0
284 static const uint8_t ecformats_list[] = {
285 TLSEXT_ECPOINTFORMAT_uncompressed,
286 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
287 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
288 };
289 #endif
290
291 static const uint8_t ecformats_default[] = {
292 TLSEXT_ECPOINTFORMAT_uncompressed,
293 };
294
295 #if 0
296 static const uint16_t ecgroups_list[] = {
297 29, /* X25519 (29) */
298 14, /* sect571r1 (14) */
299 13, /* sect571k1 (13) */
300 25, /* secp521r1 (25) */
301 28, /* brainpoolP512r1 (28) */
302 11, /* sect409k1 (11) */
303 12, /* sect409r1 (12) */
304 27, /* brainpoolP384r1 (27) */
305 24, /* secp384r1 (24) */
306 9, /* sect283k1 (9) */
307 10, /* sect283r1 (10) */
308 26, /* brainpoolP256r1 (26) */
309 22, /* secp256k1 (22) */
310 23, /* secp256r1 (23) */
311 8, /* sect239k1 (8) */
312 6, /* sect233k1 (6) */
313 7, /* sect233r1 (7) */
314 20, /* secp224k1 (20) */
315 21, /* secp224r1 (21) */
316 4, /* sect193r1 (4) */
317 5, /* sect193r2 (5) */
318 18, /* secp192k1 (18) */
319 19, /* secp192r1 (19) */
320 1, /* sect163k1 (1) */
321 2, /* sect163r1 (2) */
322 3, /* sect163r2 (3) */
323 15, /* secp160k1 (15) */
324 16, /* secp160r1 (16) */
325 17, /* secp160r2 (17) */
326 };
327 #endif
328
329 static const uint16_t ecgroups_client_default[] = {
330 29, /* X25519 (29) */
331 23, /* secp256r1 (23) */
332 24, /* secp384r1 (24) */
333 25, /* secp521r1 (25) */
334 };
335
336 static const uint16_t ecgroups_server_default[] = {
337 29, /* X25519 (29) */
338 23, /* secp256r1 (23) */
339 24, /* secp384r1 (24) */
340 };
341
342 int
tls1_ec_group_id2nid(uint16_t group_id,int * out_nid)343 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
344 {
345 int nid;
346
347 if (group_id >= NID_LIST_LEN)
348 return 0;
349
350 if ((nid = nid_list[group_id].nid) == 0)
351 return 0;
352
353 *out_nid = nid;
354
355 return 1;
356 }
357
358 int
tls1_ec_group_id2bits(uint16_t group_id,int * out_bits)359 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
360 {
361 int bits;
362
363 if (group_id >= NID_LIST_LEN)
364 return 0;
365
366 if ((bits = nid_list[group_id].bits) == 0)
367 return 0;
368
369 *out_bits = bits;
370
371 return 1;
372 }
373
374 int
tls1_ec_nid2group_id(int nid,uint16_t * out_group_id)375 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
376 {
377 uint16_t group_id;
378
379 if (nid == 0)
380 return 0;
381
382 for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
383 if (nid_list[group_id].nid == nid) {
384 *out_group_id = group_id;
385 return 1;
386 }
387 }
388
389 return 0;
390 }
391
392 /*
393 * Return the appropriate format list. If client_formats is non-zero, return
394 * the client/session formats. Otherwise return the custom format list if one
395 * exists, or the default formats if a custom list has not been specified.
396 */
397 void
tls1_get_formatlist(const SSL * s,int client_formats,const uint8_t ** pformats,size_t * pformatslen)398 tls1_get_formatlist(const SSL *s, int client_formats, const uint8_t **pformats,
399 size_t *pformatslen)
400 {
401 if (client_formats != 0) {
402 *pformats = s->session->tlsext_ecpointformatlist;
403 *pformatslen = s->session->tlsext_ecpointformatlist_length;
404 return;
405 }
406
407 *pformats = s->internal->tlsext_ecpointformatlist;
408 *pformatslen = s->internal->tlsext_ecpointformatlist_length;
409 if (*pformats == NULL) {
410 *pformats = ecformats_default;
411 *pformatslen = sizeof(ecformats_default);
412 }
413 }
414
415 /*
416 * Return the appropriate group list. If client_groups is non-zero, return
417 * the client/session groups. Otherwise return the custom group list if one
418 * exists, or the default groups if a custom list has not been specified.
419 */
420 void
tls1_get_group_list(const SSL * s,int client_groups,const uint16_t ** pgroups,size_t * pgroupslen)421 tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
422 size_t *pgroupslen)
423 {
424 if (client_groups != 0) {
425 *pgroups = s->session->tlsext_supportedgroups;
426 *pgroupslen = s->session->tlsext_supportedgroups_length;
427 return;
428 }
429
430 *pgroups = s->internal->tlsext_supportedgroups;
431 *pgroupslen = s->internal->tlsext_supportedgroups_length;
432 if (*pgroups != NULL)
433 return;
434
435 if (!s->server) {
436 *pgroups = ecgroups_client_default;
437 *pgroupslen = sizeof(ecgroups_client_default) / 2;
438 } else {
439 *pgroups = ecgroups_server_default;
440 *pgroupslen = sizeof(ecgroups_server_default) / 2;
441 }
442 }
443
444 static int
tls1_get_group_lists(const SSL * ssl,const uint16_t ** pref,size_t * preflen,const uint16_t ** supp,size_t * supplen)445 tls1_get_group_lists(const SSL *ssl, const uint16_t **pref, size_t *preflen,
446 const uint16_t **supp, size_t *supplen)
447 {
448 unsigned long server_pref;
449
450 /* Cannot do anything on the client side. */
451 if (!ssl->server)
452 return 0;
453
454 server_pref = (ssl->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
455 tls1_get_group_list(ssl, (server_pref == 0), pref, preflen);
456 tls1_get_group_list(ssl, (server_pref != 0), supp, supplen);
457
458 return 1;
459 }
460
461 static int
tls1_group_id_present(uint16_t group_id,const uint16_t * list,size_t list_len)462 tls1_group_id_present(uint16_t group_id, const uint16_t *list, size_t list_len)
463 {
464 size_t i;
465
466 for (i = 0; i < list_len; i++) {
467 if (group_id == list[i])
468 return 1;
469 }
470
471 return 0;
472 }
473
474 int
tls1_count_shared_groups(const SSL * ssl,size_t * out_count)475 tls1_count_shared_groups(const SSL *ssl, size_t *out_count)
476 {
477 size_t count, preflen, supplen, i;
478 const uint16_t *pref, *supp;
479
480 if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
481 return 0;
482
483 count = 0;
484 for (i = 0; i < preflen; i++) {
485 if (!tls1_group_id_present(pref[i], supp, supplen))
486 continue;
487
488 if (!ssl_security_shared_group(ssl, pref[i]))
489 continue;
490
491 count++;
492 }
493
494 *out_count = count;
495
496 return 1;
497 }
498
499 static int
tls1_group_by_index(const SSL * ssl,size_t n,int * out_nid,int (* ssl_security_fn)(const SSL *,uint16_t))500 tls1_group_by_index(const SSL *ssl, size_t n, int *out_nid,
501 int (*ssl_security_fn)(const SSL *, uint16_t))
502 {
503 size_t count, preflen, supplen, i;
504 const uint16_t *pref, *supp;
505
506 if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
507 return 0;
508
509 count = 0;
510 for (i = 0; i < preflen; i++) {
511 if (!tls1_group_id_present(pref[i], supp, supplen))
512 continue;
513
514 if (!ssl_security_fn(ssl, pref[i]))
515 continue;
516
517 if (count++ == n)
518 return tls1_ec_group_id2nid(pref[i], out_nid);
519 }
520
521 return 0;
522 }
523
524 int
tls1_get_shared_group_by_index(const SSL * ssl,size_t index,int * out_nid)525 tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid)
526 {
527 return tls1_group_by_index(ssl, index, out_nid,
528 ssl_security_shared_group);
529 }
530
531 int
tls1_get_supported_group(const SSL * ssl,int * out_nid)532 tls1_get_supported_group(const SSL *ssl, int *out_nid)
533 {
534 return tls1_group_by_index(ssl, 0, out_nid,
535 ssl_security_supported_group);
536 }
537
538 int
tls1_set_groups(uint16_t ** out_group_ids,size_t * out_group_ids_len,const int * groups,size_t ngroups)539 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
540 const int *groups, size_t ngroups)
541 {
542 uint16_t *group_ids;
543 size_t i;
544
545 if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL)
546 return 0;
547
548 for (i = 0; i < ngroups; i++) {
549 if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) {
550 free(group_ids);
551 return 0;
552 }
553 }
554
555 free(*out_group_ids);
556 *out_group_ids = group_ids;
557 *out_group_ids_len = ngroups;
558
559 return 1;
560 }
561
562 int
tls1_set_group_list(uint16_t ** out_group_ids,size_t * out_group_ids_len,const char * groups)563 tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
564 const char *groups)
565 {
566 uint16_t *new_group_ids, *group_ids = NULL;
567 size_t ngroups = 0;
568 char *gs, *p, *q;
569 int nid;
570
571 if ((gs = strdup(groups)) == NULL)
572 return 0;
573
574 q = gs;
575 while ((p = strsep(&q, ":")) != NULL) {
576 nid = OBJ_sn2nid(p);
577 if (nid == NID_undef)
578 nid = OBJ_ln2nid(p);
579 if (nid == NID_undef)
580 nid = EC_curve_nist2nid(p);
581 if (nid == NID_undef)
582 goto err;
583
584 if ((new_group_ids = reallocarray(group_ids, ngroups + 1,
585 sizeof(uint16_t))) == NULL)
586 goto err;
587 group_ids = new_group_ids;
588
589 if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups]))
590 goto err;
591
592 ngroups++;
593 }
594
595 free(gs);
596 free(*out_group_ids);
597 *out_group_ids = group_ids;
598 *out_group_ids_len = ngroups;
599
600 return 1;
601
602 err:
603 free(gs);
604 free(group_ids);
605
606 return 0;
607 }
608
609 /* Check that a group is one of our preferences. */
610 int
tls1_check_group(SSL * s,uint16_t group_id)611 tls1_check_group(SSL *s, uint16_t group_id)
612 {
613 const uint16_t *groups;
614 size_t groupslen, i;
615
616 tls1_get_group_list(s, 0, &groups, &groupslen);
617
618 for (i = 0; i < groupslen; i++) {
619 if (!ssl_security_supported_group(s, groups[i]))
620 continue;
621 if (groups[i] == group_id)
622 return 1;
623 }
624 return 0;
625 }
626
627 /* For an EC key set TLS ID and required compression based on parameters. */
628 static int
tls1_set_ec_id(uint16_t * group_id,uint8_t * comp_id,EC_KEY * ec)629 tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec)
630 {
631 const EC_GROUP *grp;
632 const EC_METHOD *meth;
633 int prime_field;
634 int nid;
635
636 if (ec == NULL)
637 return (0);
638
639 /* Determine whether the group is defined over a prime field. */
640 if ((grp = EC_KEY_get0_group(ec)) == NULL)
641 return (0);
642 if ((meth = EC_GROUP_method_of(grp)) == NULL)
643 return (0);
644 prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
645
646 /* Determine group ID. */
647 nid = EC_GROUP_get_curve_name(grp);
648 /* If we have an ID set it, otherwise set arbitrary explicit group. */
649 if (!tls1_ec_nid2group_id(nid, group_id))
650 *group_id = prime_field ? 0xff01 : 0xff02;
651
652 if (comp_id == NULL)
653 return (1);
654
655 /* Specify the compression identifier. */
656 if (EC_KEY_get0_public_key(ec) == NULL)
657 return (0);
658 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
659 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
660 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
661 if (prime_field)
662 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
663 }
664
665 return (1);
666 }
667
668 /* Check that an EC key is compatible with extensions. */
669 static int
tls1_check_ec_key(SSL * s,const uint16_t * group_id,const uint8_t * comp_id)670 tls1_check_ec_key(SSL *s, const uint16_t *group_id, const uint8_t *comp_id)
671 {
672 size_t groupslen, formatslen, i;
673 const uint16_t *groups;
674 const uint8_t *formats;
675
676 /*
677 * Check point formats extension if present, otherwise everything
678 * is supported (see RFC4492).
679 */
680 tls1_get_formatlist(s, 1, &formats, &formatslen);
681 if (comp_id != NULL && formats != NULL) {
682 for (i = 0; i < formatslen; i++) {
683 if (formats[i] == *comp_id)
684 break;
685 }
686 if (i == formatslen)
687 return (0);
688 }
689
690 /*
691 * Check group list if present, otherwise everything is supported.
692 */
693 tls1_get_group_list(s, 1, &groups, &groupslen);
694 if (group_id != NULL && groups != NULL) {
695 for (i = 0; i < groupslen; i++) {
696 if (groups[i] == *group_id)
697 break;
698 }
699 if (i == groupslen)
700 return (0);
701 }
702
703 return (1);
704 }
705
706 /* Check EC server key is compatible with client extensions. */
707 int
tls1_check_ec_server_key(SSL * s)708 tls1_check_ec_server_key(SSL *s)
709 {
710 SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
711 uint16_t group_id;
712 uint8_t comp_id;
713 EC_KEY *eckey;
714 EVP_PKEY *pkey;
715
716 if (cpk->x509 == NULL || cpk->privatekey == NULL)
717 return (0);
718 if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL)
719 return (0);
720 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
721 return (0);
722 if (!tls1_set_ec_id(&group_id, &comp_id, eckey))
723 return (0);
724
725 return tls1_check_ec_key(s, &group_id, &comp_id);
726 }
727
728 int
ssl_check_clienthello_tlsext_early(SSL * s)729 ssl_check_clienthello_tlsext_early(SSL *s)
730 {
731 int ret = SSL_TLSEXT_ERR_NOACK;
732 int al = SSL_AD_UNRECOGNIZED_NAME;
733
734 /* The handling of the ECPointFormats extension is done elsewhere, namely in
735 * ssl3_choose_cipher in s3_lib.c.
736 */
737 /* The handling of the EllipticCurves extension is done elsewhere, namely in
738 * ssl3_choose_cipher in s3_lib.c.
739 */
740
741 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
742 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
743 s->ctx->internal->tlsext_servername_arg);
744 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
745 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
746 s->initial_ctx->internal->tlsext_servername_arg);
747
748 switch (ret) {
749 case SSL_TLSEXT_ERR_ALERT_FATAL:
750 ssl3_send_alert(s, SSL3_AL_FATAL, al);
751 return -1;
752 case SSL_TLSEXT_ERR_ALERT_WARNING:
753 ssl3_send_alert(s, SSL3_AL_WARNING, al);
754 return 1;
755 case SSL_TLSEXT_ERR_NOACK:
756 default:
757 return 1;
758 }
759 }
760
761 int
ssl_check_clienthello_tlsext_late(SSL * s)762 ssl_check_clienthello_tlsext_late(SSL *s)
763 {
764 int ret = SSL_TLSEXT_ERR_OK;
765 int al = 0; /* XXX gcc3 */
766
767 /* If status request then ask callback what to do.
768 * Note: this must be called after servername callbacks in case
769 * the certificate has changed, and must be called after the cipher
770 * has been chosen because this may influence which certificate is sent
771 */
772 if ((s->tlsext_status_type != -1) &&
773 s->ctx && s->ctx->internal->tlsext_status_cb) {
774 int r;
775 SSL_CERT_PKEY *certpkey;
776 certpkey = ssl_get_server_send_pkey(s);
777 /* If no certificate can't return certificate status */
778 if (certpkey == NULL) {
779 s->internal->tlsext_status_expected = 0;
780 return 1;
781 }
782 /* Set current certificate to one we will use so
783 * SSL_get_certificate et al can pick it up.
784 */
785 s->cert->key = certpkey;
786 r = s->ctx->internal->tlsext_status_cb(s,
787 s->ctx->internal->tlsext_status_arg);
788 switch (r) {
789 /* We don't want to send a status request response */
790 case SSL_TLSEXT_ERR_NOACK:
791 s->internal->tlsext_status_expected = 0;
792 break;
793 /* status request response should be sent */
794 case SSL_TLSEXT_ERR_OK:
795 if (s->internal->tlsext_ocsp_resp)
796 s->internal->tlsext_status_expected = 1;
797 else
798 s->internal->tlsext_status_expected = 0;
799 break;
800 /* something bad happened */
801 case SSL_TLSEXT_ERR_ALERT_FATAL:
802 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
803 al = SSL_AD_INTERNAL_ERROR;
804 goto err;
805 }
806 } else
807 s->internal->tlsext_status_expected = 0;
808
809 err:
810 switch (ret) {
811 case SSL_TLSEXT_ERR_ALERT_FATAL:
812 ssl3_send_alert(s, SSL3_AL_FATAL, al);
813 return -1;
814 case SSL_TLSEXT_ERR_ALERT_WARNING:
815 ssl3_send_alert(s, SSL3_AL_WARNING, al);
816 return 1;
817 default:
818 return 1;
819 }
820 }
821
822 int
ssl_check_serverhello_tlsext(SSL * s)823 ssl_check_serverhello_tlsext(SSL *s)
824 {
825 int ret = SSL_TLSEXT_ERR_NOACK;
826 int al = SSL_AD_UNRECOGNIZED_NAME;
827
828 ret = SSL_TLSEXT_ERR_OK;
829
830 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
831 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
832 s->ctx->internal->tlsext_servername_arg);
833 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
834 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
835 s->initial_ctx->internal->tlsext_servername_arg);
836
837 /* If we've requested certificate status and we wont get one
838 * tell the callback
839 */
840 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) &&
841 s->ctx && s->ctx->internal->tlsext_status_cb) {
842 int r;
843
844 free(s->internal->tlsext_ocsp_resp);
845 s->internal->tlsext_ocsp_resp = NULL;
846 s->internal->tlsext_ocsp_resp_len = 0;
847
848 r = s->ctx->internal->tlsext_status_cb(s,
849 s->ctx->internal->tlsext_status_arg);
850 if (r == 0) {
851 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
852 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
853 }
854 if (r < 0) {
855 al = SSL_AD_INTERNAL_ERROR;
856 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
857 }
858 }
859
860 switch (ret) {
861 case SSL_TLSEXT_ERR_ALERT_FATAL:
862 ssl3_send_alert(s, SSL3_AL_FATAL, al);
863 return -1;
864 case SSL_TLSEXT_ERR_ALERT_WARNING:
865 ssl3_send_alert(s, SSL3_AL_WARNING, al);
866 return 1;
867 case SSL_TLSEXT_ERR_NOACK:
868 default:
869 return 1;
870 }
871 }
872
873 /* Since the server cache lookup is done early on in the processing of the
874 * ClientHello, and other operations depend on the result, we need to handle
875 * any TLS session ticket extension at the same time.
876 *
877 * ext_block: a CBS for the ClientHello extensions block.
878 * ret: (output) on return, if a ticket was decrypted, then this is set to
879 * point to the resulting session.
880 *
881 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
882 * ciphersuite, in which case we have no use for session tickets and one will
883 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
884 *
885 * Returns:
886 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
887 * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings).
888 * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the
889 * client supports session tickets but doesn't currently have one to offer.
890 * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was
891 * set, or a ticket was offered but couldn't be decrypted because of a
892 * non-fatal error.
893 * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set.
894 *
895 * Side effects:
896 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
897 * a new session ticket to the client because the client indicated support
898 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
899 * a session ticket or we couldn't use the one it gave us, or if
900 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
901 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
902 */
903 int
tls1_process_ticket(SSL * s,CBS * ext_block,int * alert,SSL_SESSION ** ret)904 tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret)
905 {
906 CBS extensions, ext_data;
907 uint16_t ext_type = 0;
908
909 s->internal->tlsext_ticket_expected = 0;
910 *ret = NULL;
911
912 /*
913 * If tickets disabled behave as if no ticket present to permit stateful
914 * resumption.
915 */
916 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
917 return TLS1_TICKET_NONE;
918
919 /*
920 * An empty extensions block is valid, but obviously does not contain
921 * a session ticket.
922 */
923 if (CBS_len(ext_block) == 0)
924 return TLS1_TICKET_NONE;
925
926 if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) {
927 *alert = SSL_AD_DECODE_ERROR;
928 return TLS1_TICKET_FATAL_ERROR;
929 }
930
931 while (CBS_len(&extensions) > 0) {
932 if (!CBS_get_u16(&extensions, &ext_type) ||
933 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) {
934 *alert = SSL_AD_DECODE_ERROR;
935 return TLS1_TICKET_FATAL_ERROR;
936 }
937
938 if (ext_type == TLSEXT_TYPE_session_ticket)
939 break;
940 }
941
942 if (ext_type != TLSEXT_TYPE_session_ticket)
943 return TLS1_TICKET_NONE;
944
945 if (CBS_len(&ext_data) == 0) {
946 /*
947 * The client will accept a ticket but does not currently
948 * have one.
949 */
950 s->internal->tlsext_ticket_expected = 1;
951 return TLS1_TICKET_EMPTY;
952 }
953
954 if (s->internal->tls_session_secret_cb != NULL) {
955 /*
956 * Indicate that the ticket could not be decrypted rather than
957 * generating the session from ticket now, trigger abbreviated
958 * handshake based on external mechanism to calculate the master
959 * secret later.
960 */
961 return TLS1_TICKET_NOT_DECRYPTED;
962 }
963
964 return tls_decrypt_ticket(s, &ext_data, alert, ret);
965 }
966
967 /* tls_decrypt_ticket attempts to decrypt a session ticket.
968 *
969 * ticket: a CBS containing the body of the session ticket extension.
970 * psess: (output) on return, if a ticket was decrypted, then this is set to
971 * point to the resulting session.
972 *
973 * Returns:
974 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
975 * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted.
976 * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set.
977 */
978 static int
tls_decrypt_ticket(SSL * s,CBS * ticket,int * alert,SSL_SESSION ** psess)979 tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
980 {
981 CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac;
982 SSL_SESSION *sess = NULL;
983 unsigned char *sdec = NULL;
984 size_t sdec_len = 0;
985 const unsigned char *p;
986 unsigned char hmac[EVP_MAX_MD_SIZE];
987 HMAC_CTX *hctx = NULL;
988 EVP_CIPHER_CTX *cctx = NULL;
989 SSL_CTX *tctx = s->initial_ctx;
990 int slen, hlen;
991 int alert_desc = SSL_AD_INTERNAL_ERROR;
992 int ret = TLS1_TICKET_FATAL_ERROR;
993
994 *psess = NULL;
995
996 if (!CBS_get_bytes(ticket, &ticket_name, 16))
997 goto derr;
998
999 /*
1000 * Initialize session ticket encryption and HMAC contexts.
1001 */
1002 if ((cctx = EVP_CIPHER_CTX_new()) == NULL)
1003 goto err;
1004 if ((hctx = HMAC_CTX_new()) == NULL)
1005 goto err;
1006
1007 if (tctx->internal->tlsext_ticket_key_cb != NULL) {
1008 int rv;
1009
1010 /*
1011 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
1012 * the iv to tlsext_ticket_key_cb(). Since the total space
1013 * required for a session cookie is never less than this,
1014 * this check isn't too strict. The exact check comes later.
1015 */
1016 if (CBS_len(ticket) < EVP_MAX_IV_LENGTH)
1017 goto derr;
1018
1019 if ((rv = tctx->internal->tlsext_ticket_key_cb(s,
1020 (unsigned char *)CBS_data(&ticket_name),
1021 (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0)
1022 goto err;
1023 if (rv == 0)
1024 goto derr;
1025 if (rv == 2) {
1026 /* Renew ticket. */
1027 s->internal->tlsext_ticket_expected = 1;
1028 }
1029
1030 /*
1031 * Now that the cipher context is initialised, we can extract
1032 * the IV since its length is known.
1033 */
1034 if (!CBS_get_bytes(ticket, &ticket_iv,
1035 EVP_CIPHER_CTX_iv_length(cctx)))
1036 goto derr;
1037 } else {
1038 /* Check that the key name matches. */
1039 if (!CBS_mem_equal(&ticket_name,
1040 tctx->internal->tlsext_tick_key_name,
1041 sizeof(tctx->internal->tlsext_tick_key_name)))
1042 goto derr;
1043 if (!CBS_get_bytes(ticket, &ticket_iv,
1044 EVP_CIPHER_iv_length(EVP_aes_128_cbc())))
1045 goto derr;
1046 if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL,
1047 tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv)))
1048 goto err;
1049 if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key,
1050 sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(),
1051 NULL))
1052 goto err;
1053 }
1054
1055 /*
1056 * Attempt to process session ticket.
1057 */
1058
1059 if ((hlen = HMAC_size(hctx)) < 0)
1060 goto err;
1061
1062 if (hlen > CBS_len(ticket))
1063 goto derr;
1064 if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen))
1065 goto derr;
1066 if (!CBS_get_bytes(ticket, &ticket_hmac, hlen))
1067 goto derr;
1068 if (CBS_len(ticket) != 0) {
1069 alert_desc = SSL_AD_DECODE_ERROR;
1070 goto err;
1071 }
1072
1073 /* Check HMAC of encrypted ticket. */
1074 if (HMAC_Update(hctx, CBS_data(&ticket_name),
1075 CBS_len(&ticket_name)) <= 0)
1076 goto err;
1077 if (HMAC_Update(hctx, CBS_data(&ticket_iv),
1078 CBS_len(&ticket_iv)) <= 0)
1079 goto err;
1080 if (HMAC_Update(hctx, CBS_data(&ticket_encdata),
1081 CBS_len(&ticket_encdata)) <= 0)
1082 goto err;
1083 if (HMAC_Final(hctx, hmac, &hlen) <= 0)
1084 goto err;
1085
1086 if (!CBS_mem_equal(&ticket_hmac, hmac, hlen))
1087 goto derr;
1088
1089 /* Attempt to decrypt session data. */
1090 sdec_len = CBS_len(&ticket_encdata);
1091 if ((sdec = calloc(1, sdec_len)) == NULL)
1092 goto err;
1093 if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata),
1094 CBS_len(&ticket_encdata)) <= 0)
1095 goto derr;
1096 if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0)
1097 goto derr;
1098
1099 slen += hlen;
1100
1101 /*
1102 * For session parse failures, indicate that we need to send a new
1103 * ticket.
1104 */
1105 p = sdec;
1106 if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL)
1107 goto derr;
1108 *psess = sess;
1109 sess = NULL;
1110
1111 ret = TLS1_TICKET_DECRYPTED;
1112 goto done;
1113
1114 derr:
1115 ERR_clear_error();
1116 s->internal->tlsext_ticket_expected = 1;
1117 ret = TLS1_TICKET_NOT_DECRYPTED;
1118 goto done;
1119
1120 err:
1121 *alert = alert_desc;
1122 ret = TLS1_TICKET_FATAL_ERROR;
1123 goto done;
1124
1125 done:
1126 freezero(sdec, sdec_len);
1127 EVP_CIPHER_CTX_free(cctx);
1128 HMAC_CTX_free(hctx);
1129 SSL_SESSION_free(sess);
1130
1131 return ret;
1132 }
1133